Table of Contents Previous Next

Common Issues
The following describes common issues and questions related to GADS.
Configuration Manager
When creating an exception rule, the dialog box does not have an OK button.
You may be using a font that is too large for the screen. The dialog box does not work with Extra Large Fonts or Large Fonts. Change your font size, or edit your XML file directly.
What port numbers should be used in GADS when connecting to Global Catalog server?
By default, GADS connects to an LDAP server with the standard LDAP port 389 to query users from a single domain/LDAP server.
If you need to query users over multiple domains/LDAP servers that have trust relationship, configure GADS to connect to a Global Catalog server with the standard Global Catalog server port 3268.
User Sync Errors
Error Message: You are not authorized to access this API
Confirm that you are using Google Apps for Work, Partners, Government, or Education.
Enable APIs on your Google Apps domain, as described in Enable APIs.
Error Message: Domain User Limit Exceeded
You attempted to add more users than you have licensed seats. Contact your sales representative to purchase more user licenses, or change your LDAP queries to synchronize fewer users.
Group Sync Errors
Groups with over 1500 members in my Active Directory server members aren’t syncing correctly.
Make sure you have selected MS Active Directory in the Server Type field of the LDAP Configuration section.
Synchronization Rules
Users are getting recreated on every sync
This happens when the LDAP attribute configured as the Group Name Attribute does not contain a full email address.
To resolve this issue, check your Group Search rules and make sure that GADS uses a full email address for the group names. Use one of the following methods:
A group rule or exclusion rule doesn’t seem to be doing anything.
Check the scope of the rule. You may need to set the scope to SUBTREE.
A group rule generates errors.
Check the Group Search Attribute in LDAP Configuration. This is the field that contains the email address of a group. In most cases, this will be mail.
How can I exclude a specific LDAP organization?
You cannot create an LDAP rule to exclude users in a specific LDAP organization. Instead, limit the authority of the LDAP Administrator you use, removing access to any OUs you do not want to synchronize.
Connections and Security
What specific ports and URLs need to be accessible for Directory Sync to function?
Please note that this information can change over time. For the latest information, check for updates.
Directory Sync currently accesses the following URLs:
For information on how to create an up-to-date list of Google IP addresses, see the help center article, Google IP address ranges.
If GADS is unable to connect to the revocation list providers, you may see the following error in your GADS log file:
PKIX path validation failed: revocation status check failed: no CRL found
The proxy environment requires a password challenge for external web access.
GADS can use a proxy server but cannot respond to password challenges. To run synchronization, you will need to change your network setup to allow Directory Sync to connect without a password challenge, or without a proxy server.
I cannot simulate a synchronization because the notifications server is not specified.
To run a simulated synchronization, you will need a server capable of sending mail. If you are running Directory Sync on a mail server machine, you can use the IP address for your mail server. Otherwise, contact your mail administrator for the correct mail information.
How securely are passwords stored?
GADS stores passwords using a two-way encryption scheme. This protects your sensitive information from casual snooping or reverse engineering.
To convert a configuration file to the new format with encrypted passwords:
You can also upgrade the file with the following command-line executable:
upgrade-config -c [filename]
where [filename] is the name of the XML configuration file to upgrade.
LDAP Directory Server
The Base DN information doesn’t seem to be correct.
Check to be sure your Base DN doesn’t include any spaces.
How do I find out information about my LDAP server fields?
You will need to download an LDAP browser. An LDAP browser allows you to browse through an LDAP directory server and identify all fields and values. Many directory servers do not include a complete LDAP browser. For information on LDAP browsers, see Step One: Install LDAP Browser.
An LDAP query that includes a wildcard isn’t working with Lotus Domino LDAP
Lotus Domino has a setting for “Minimum characters for wildcard search” that controls how wildcard LDAP searches work. Update your search to include more characters, or change this setting to a lower number.